Throughout my audits / consultancies I have already encountered several cases in which, companies certified in ISO that have some domain of business continuity, for example ISO27001, they themselves tell me that this part is very academic and that really does not It is serving them a lot.
Their question is: Do I start the procedures to implement ISO 22301, or can the result be more academic than practical?
My answer is: It depends on who you do it with and the management's commitment to certification.
And my proposal is: Start working to cover your business continuity real needs, helped by external consulting if you don't see yourself prepared and only if you have the support of the management. In case you have 27001, document it in the corresponding domain. When you already have some maturity and control over business continuity, go to ISO 22301 certification.
So, certification is not important?
Claro que sí, y en algunas empresas casi diría que hasta obligatoria, pero es más que lo que se desarrolle al respecto ayude a la empresa a cumplir con sus objetivos y preservar su negocio ante cualquier escenario que se produzca.